Reputation: 429
Too many roles with RBAC. Alternatives?
To represent the fact that role X can do Y on resource Z, I create a role called "role-Y:Z". The problem is, the number of "resource"s here is ever increasing, and so are the roles.
For every resource that I create, I end up creating 4 roles.
Problem is, RBAC is too coarse-grained for my usecase.
Am I implementing RBAC the wrong way? Any idea how to avoid this role explosion? Maybe I should not use RBAC at all?
Upvotes: 2
Views: 1201
Answers (1)
Reputation: 17506
Maybe I should not use RBAC at all?
You need ReBAC (Relationship Based Access Control) :)
ReBAC solutions such as those based on Google's Zanzibar paper are a good solution for your need of fine-grained permissions.
Some of the companies offering Fine Grained Authorization include:
- Auth0 Fine Grained Authorization (FGA) - SaaS
- Authzed - SaaS and OSS offering
- Ory Keto - OSS offering
Upvotes: 2
Related Questions
- RBAC + ABAC hybrid access control model
- Designing a role based access control with support for relations
- RBAC system with two parameters
- Need some advice on my own Role Based Access Control (RBAC)
- Is my Role Based Access Control a feasible solution?
- Resource Based Access Control vs Role Based Access Control
- Design review - Performance and Scalability concerns for a role based access system
- Role-based access control with REST (HTTP)?
- Best way to implement RBAC with Access
- Non RBAC User Roles and Permissions System: a role with properties